Module GSSAPI
- Description
This is pike glue for GSS-API ver 2 as specified in RFC 2743.
GSS-API is used to authenticate users and servers, and optionally also to encrypt communication between them. The API is generic and can be used without any knowledge of the actual implementation of these security services, which is typically provided by the operating system.
The most common implementation at the time of writing is Kerberos, which means that the main benefit of this API is to allow clients and servers to authenticate each other using Kerberos, thereby making single sign-on possible in a Kerberized environment.
All functions in this module that wraps GSS-API routines might throw GSSAPI.Error, and by default they do for all such errors. Only in some special cases do they return when a GSS-API error has happened, and that is noted in the documentation.
- Constant
INITIATE
Constant ACCEPT
Constant BOTH
constant
int
GSSAPI.INITIATE
constant
int
GSSAPI.ACCEPT
constant
int
GSSAPI.BOTH
- Description
Flags for indicating how a GSSAPI.Cred object may be used:
- INITIATE
The credential can only be used to initiate security contexts (i.e. using GSSAPI.InitContext).
- ACCEPT
The credential can only be used to accept security contexts (i.e. using GSSAPI.AcceptContext).
- BOTH
The credential may be used both to initiate or accept security contexts.
- Constant
DELEG_FLAG
Constant MUTUAL_FLAG
Constant REPLAY_FLAG
Constant SEQUENCE_FLAG
Constant CONF_FLAG
Constant INTEG_FLAG
Constant ANON_FLAG
Constant PROT_READY_FLAG
Constant TRANS_FLAG
constant
int
GSSAPI.DELEG_FLAG
constant
int
GSSAPI.MUTUAL_FLAG
constant
int
GSSAPI.REPLAY_FLAG
constant
int
GSSAPI.SEQUENCE_FLAG
constant
int
GSSAPI.CONF_FLAG
constant
int
GSSAPI.INTEG_FLAG
constant
int
GSSAPI.ANON_FLAG
constant
int
GSSAPI.PROT_READY_FLAG
constant
int
GSSAPI.TRANS_FLAG
- Description
Bitfield flags returned by e.g. GSSAPI.Context.services to denote various services that are available in the context.
Brief descriptions of the flags:
- GSSAPI.DELEG_FLAG
Delegation. See RFC 2743 section 1.2.9.
- GSSAPI.MUTUAL_FLAG
Mutual authentication (actually, acceptor authentication). See RFC 2743 sections 1.1.1.3 and 1.2.5.
- GSSAPI.REPLAY_FLAG
Per-message replay detection. See RFC 2743 section 1.2.3.
- GSSAPI.SEQUENCE_FLAG
Per-message sequencing. See RFC 2743 section 1.2.3.
- GSSAPI.CONF_FLAG
Per-message confidentiality. See RFC 2743 section 1.2.2.
- GSSAPI.INTEG_FLAG
Per-message integrity. See RFC 2743 section 1.2.2.
- GSSAPI.ANON_FLAG
Anonymous authentication. See RFC 2743 section 1.2.5.
- GSSAPI.PROT_READY_FLAG
Might be set before the context establishment has finished, to denote that per-message protection already is available. See RFC 2743 section 1.2.7. Is always set in GSSAPI.Context and derived classes when the context is established.
- GSSAPI.TRANS_FLAG
The context can be transferred between processes using GSSAPI.Context.export. See RFC 2743 section 1.2.10.
- Constant
BAD_MECH
Constant BAD_NAME
Constant BAD_NAMETYPE
Constant BAD_BINDINGS
Constant BAD_STATUS
Constant BAD_SIG
Constant NO_CRED
Constant NO_CONTEXT
Constant DEFECTIVE_TOKEN
Constant DEFECTIVE_CREDENTIAL
Constant CREDENTIALS_EXPIRED
Constant CONTEXT_EXPIRED
Constant FAILURE
Constant BAD_QOP
Constant UNAUTHORIZED
Constant UNAVAILABLE
Constant DUPLICATE_ELEMENT
Constant NAME_NOT_MN
constant
int
GSSAPI.BAD_MECH
constant
int
GSSAPI.BAD_NAME
constant
int
GSSAPI.BAD_NAMETYPE
constant
int
GSSAPI.BAD_BINDINGS
constant
int
GSSAPI.BAD_STATUS
constant
int
GSSAPI.BAD_SIG
constant
int
GSSAPI.NO_CRED
constant
int
GSSAPI.NO_CONTEXT
constant
int
GSSAPI.DEFECTIVE_TOKEN
constant
int
GSSAPI.DEFECTIVE_CREDENTIAL
constant
int
GSSAPI.CREDENTIALS_EXPIRED
constant
int
GSSAPI.CONTEXT_EXPIRED
constant
int
GSSAPI.FAILURE
constant
int
GSSAPI.BAD_QOP
constant
int
GSSAPI.UNAUTHORIZED
constant
int
GSSAPI.UNAVAILABLE
constant
int
GSSAPI.DUPLICATE_ELEMENT
constant
int
GSSAPI.NAME_NOT_MN
- Description
Constants for routine errors in major status codes like GSSAPI.Error.major_status. See RFC 2743 section 1.2.1.1. Note that major status codes have to be masked with GSSAPI.ERROR_MASK before comparison with these.
Brief descriptions of the flags:
- GSSAPI.BAD_BINDINGS
Channel binding mismatch.
- GSSAPI.BAD_MECH
Unsupported mechanism requested.
- GSSAPI.BAD_NAME
Invalid name provided.
- GSSAPI.BAD_NAMETYPE
Name of unsupported type provided.
- GSSAPI.BAD_STATUS
Invalid input status selector.
- GSSAPI.BAD_MIC
Token had invalid integrity check.
- GSSAPI.CONTEXT_EXPIRED
Specified security context expired.
- GSSAPI.CREDENTIALS_EXPIRED
Expired credentials detected.
- GSSAPI.DEFECTIVE_CREDENTIAL
Defective credential detected.
- GSSAPI.DEFECTIVE_TOKEN
Defective token detected.
- GSSAPI.FAILURE
Failure, unspecified at GSS-API level. GSSAPI.Error.minor_status should provide further details.
- GSSAPI.NO_CONTEXT
No valid security context specified.
- GSSAPI.NO_CRED
No valid credentials provided.
- GSSAPI.BAD_QOP
Unsupported QOP value.
- GSSAPI.UNAUTHORIZED
Operation unauthorized.
- GSSAPI.UNAVAILABLE
Operation unavailable.
- GSSAPI.DUPLICATE_ELEMENT
Duplicate credential element requested.
- GSSAPI.NAME_NOT_MN
Name contains multi-mechanism elements.
- Constant
CONTINUE_NEEDED
Constant DUPLICATE_TOKEN
Constant OLD_TOKEN
Constant UNSEQ_TOKEN
Constant GAP_TOKEN
constant
int
GSSAPI.CONTINUE_NEEDED
constant
int
GSSAPI.DUPLICATE_TOKEN
constant
int
GSSAPI.OLD_TOKEN
constant
int
GSSAPI.UNSEQ_TOKEN
constant
int
GSSAPI.GAP_TOKEN
- Description
Bitfield flags for informatory codes in major status codes like GSSAPI.Error.major_status. See RFC 2743 section 1.2.1.1. Any combination of these might optionally be combined with one routine error constant to form a major status code.
Brief descriptions of the flags:
- GSSAPI.CONTINUE_NEEDED
Continuation call to routine required.
- GSSAPI.DUPLICATE_TOKEN
Duplicate per-message token detected.
- GSSAPI.OLD_TOKEN
Timed-out per-message token detected.
- GSSAPI.UNSEQ_TOKEN
Reordered (early) per-message token detected.
- GSSAPI.GAP_TOKEN
Skipped predecessor token(s) detected.
- Constant ERROR_MASK
constant
int
GSSAPI.ERROR_MASK
- Description
Bitfield mask for the routine error part of major status codes like GSSAPI.Error.major_status. After applying this mask, the status values may be compared to any of the routine error constants.
- Constant INFO_MASK
constant
int
GSSAPI.INFO_MASK
- Description
Bitfield mask for the informatory part of major status codes like GSSAPI.Error.major_status.
- Constant
NT_HOSTBASED_SERVICE
Constant NT_USER_NAME
Constant NT_MACHINE_UID_NAME
Constant NT_STRING_UID_NAME
Constant NT_ANONYMOUS
Constant NT_EXPORT_NAME
Constant KRB5_NT_PRINCIPAL_NAME
constant
string
GSSAPI.NT_HOSTBASED_SERVICE
constant
string
GSSAPI.NT_USER_NAME
constant
string
GSSAPI.NT_MACHINE_UID_NAME
constant
string
GSSAPI.NT_STRING_UID_NAME
constant
string
GSSAPI.NT_ANONYMOUS
constant
string
GSSAPI.NT_EXPORT_NAME
constant
string
GSSAPI.KRB5_NT_PRINCIPAL_NAME
- Description
OIDs on dotted-decimal form for the GSS-API mechanism-independent name types, and some selected mechanism-specific ones:
- NT_HOSTBASED_SERVICE
Name type for a service associated with a host computer. The syntax is service@hostname where the @hostname part may be omitted for the local host. See RFC 2743 section 4.1.
- NT_USER_NAME
Name type for a named user on a local system. The syntax is username. See RFC 2743 section 4.2.
- NT_MACHINE_UID_NAME
Name type for a numeric user identifier corresponding to a user on a local system. The string representing a name of this type should contain a locally-significant user ID, represented in host byte order. See RFC 2743 section 4.3.
- NT_STRING_UID_NAME
Name type for a string of digits representing the numeric user identifier of a user on a local system. This name type is similar to the Machine UID Form, except that the buffer contains a string representing the user ID. See RFC 2743 section 4.4.
- NT_ANONYMOUS
Name type to identify anonymous names. See RFC 2743 section 4.5.
- NT_EXPORT_NAME
Name type for the Mechanism-Independent Exported Name Object type, which is the type of the names returned by GSSAPI.Name.export. See RFC 2743 section 4.7.
- KRB5_NT_PRINCIPAL_NAME
Name type for a Kerberos principal. See RFC 1964 section 2.1.1.